I read a lot but be still a bit confused and before starting I want to be sure: If I add 2 FIDO Keys to my account for 2FA, can I still use all my trusted devices to use 2FA ? So is it really an additional option or did it replace the other ways that I have to do 2FA ?
iPhone 6s Plus
First: It has zero impact on normal useage of your Trusted Devices. You continue to enter your passcode / password; followed by Face/TouchID exactly as you do presently.
But: If you elect to install and configure hardware Security Keys, they become the ONLY accepted 2FA means to access your Apple Account from an untrusted device.
Restated:
First: It has zero impact on normal useage of your Trusted Devices. You continue to enter your passcode / password; followed by Face/TouchID exactly as you do presently.
But: If you elect to install and configure hardware Security Keys, they become the ONLY accepted 2FA means to access your Apple Account from an untrusted device.
Restated:
I can’t speak to how authentication onto Apple developer accounts might work …
… but an Apple Account with associated hardware security keys installed will not generate 6-digit TOTP verification codes.
A compatible NFC-capable security key WILL work with iPhones.
I’ve not attempted using either the Lighting or USB-C security keys interfaces on iPhones
I HAVE used both USB-A and USB-C security keys on MS-Windows machines (both 10 & 11) to authenticate into my Apple Account via a browser.
The use of hardware Security keys does NOT remove the the “traditional” pre-configured Verification Code receipt methods — it simply disables their functionality.
That functionality — itemized in the 3x bullets in prior post — are easily restored from a Trusted Device — by selecting “Remove All Keys” from within Settings.
Re: “… login from a new browser on Windows … In this case I must have the FIDO with me AND this FIDO must work with my Iphone …”
Almost.
In this specific example the registered hardware security key would be inserted into the Windows machine so as to be able authenticate your browser to your Apple Account.
After successfully authenticating, you’d receive an “informational” pop-up on your Apple Trusted Devices.
IMO the most readily evident potentially “negative impact” scenario:
You are traveling somewhere out of town carrying ONLY a single Trusted Device; presumably your iPhone.
If that phone is lost, damaged, or stolen; it’s fairly easy to purchase a replacement device.
BUT without one of your pre-registered, NFC-capable hardware security keys in-hand - you will NOT be able to add the replacement phone to your Apple Account or restore from an Automatic iCloud Backup.
So … thinking-thru — and actually rehearsing — the various recovery scenarios pertinent to your own particular situation is of paramount
importance for one devides to optionally use
hardware security keys.
You “have” 2FA functionality regardless of the method used.
With hardware security keys is a cryptologically secured method and extremely phishing-resistant.
With 6-codes, there IS a “human in the loop” making it inherently more “phishable” - and reliant on maintaining strong access controls to your Trusted Devices.
Thanks. That means if I try login from a new browser on Windows to my Apple Developeraccount I will NOT get this six numbers on my Iphone to login ? In this case I must have the FIDO with me AND this FIDO must work with my Iphone ( which are all older , means the physical key will not work with them) ?
Thanks a lot. So I will don't do it because if somehow the FIDO sticks are lost/defect and I go to "Remove All Keys" on my MacBook, to have the current 6 digit TOTP back, it will asking me for a 2FA which I did'nt have anymore.
Is Physical Security Key really additional ?
